Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Tell HN: npm breach
118 points by alexghr on May 27, 2022 | hide | past | favorite | 3 comments
Just got the following email from npm. TLDR:

- "npm username, password hash, and email address in a 2015 npm archive"

- "an attacker abused stolen OAuth user tokens issued to two third-party GitHub.com OAuth integrators, Heroku and Travis CI"

Full email below

---

Hello,

We’re writing to let you know an investigation into unauthorized access to npm infrastructure revealed that your npm account information was accessed by an attacker. This unauthorized access was part of an attack campaign utilizing stolen OAuth user tokens issued to two third-party GitHub.com integrators, Heroku and Travis CI, that has previously been documented on the GitHub blog.

User privacy and security are essential for maintaining trust, and we want to remain as transparent as possible about events like these. Read on for more information, as well as on our blog further detailing GitHub's analysis of the attack on npm: https://github.blog/2022-05-26-npm-security-update-oauth-tokens/

* What Happened *

On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party GitHub.com OAuth integrators, Heroku and Travis CI, to download repository data from dozens of GitHub.com organizations. One of the victim organizations impacted was npm. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats. GitHub's initial blog post and subsequent updates regarding the attack campaign can be found on our blog linked above. Following the discovery of npm's initial compromise, GitHub investigated the impact to npm. Based on this analysis, we have evidence the actor was able to access internal npm data and npm customer information.

* What information was involved? *

Your npm username, password hash, and email address in a 2015 npm archive of user information from a skimdb.npmjs.com backup.

* What GitHub is doing *

Upon discovery of the unauthorized access of npm infrastructure, GitHub immediately began an investigation into what was accessed by the attacker. After determining whose information was accessed in the compromise, we directly notified affected users and published our blog post on the investigation.

To ensure your account’s security, we've also rotated your npm password and you will be required to reset your password via https://www.npmjs.com/forgot.

* What you can do *

If you use the same password for any other service, we recommend that you change it on that service as well. We do not recommend reusing passwords, and guidance on strong passwords is available here:

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-strong-password

In addition, we highly recommend enabling 2FA on both your npm account and the email address used for your npm account if you've not done so already:

https://docs.npmjs.com/configuring-two-factor-authentication

Please feel free to reach out to GitHub Support with any additional questions or concerns:

https://support.github.com/contact?subject=GH-0200941-4895-7+questions&tags=GH-0200941-4895-7

Thanks, GitHub Security




GitHub have posted a blog post detailing everything here https://github.blog/2022-05-26-npm-security-update-oauth-tok...



Comments moved thither. Thanks!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: